Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/security/policy/unlimited/US_export_policy.jar
MD5: cee2524fdbae6b2cbbd93899daf986d8
SHA1: c43a0598da5ad5349e04f9a130611b5e890f5acb
SHA256:f73813f3e2c3370c8b7adfaf85bede99441930aef30adb3e8009a451acb768dc
Description:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/activation-1.1.jar
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/animal-sniffer-annotations-1.17.jar
MD5: 7ca108b790cf6ab5dbf5422cc79f0d89
SHA1: f97ce6decaea32b36101e37979f8b647f00681fb
SHA256:92654f493ecfec52082e76354f0ebf87648dc3d5cec2e3c3cdb947c016747a53
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
SHA256:333ff5369043975b7e031b8b27206937441854738e038c1f47f98d072a20437a
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/charsets.jar
MD5: 6fcfadd087db54d9794bda958bee5c80
SHA1: ccd631d58958a23697d8d7c6564f4f0438aaee85
SHA256:507b86f7e8aecc568784730d97d955d09bf3850610396b47a856d464a91d63a1
Description:
Checker Qual is the set of annotations (qualifiers) and supporting classes
used by the Checker Framework to type check Java source code. Please
see artifact:
org.checkerframework:checker
License:
GNU General Public License, version 2 (GPL2), with the classpath exception: http://www.gnu.org/software/classpath/license.html The MIT License: http://opensource.org/licenses/MITFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/checker-compat-qual-2.5.2.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/cldrdata.jar
MD5: bd5a47224ddae1b3a485d1c5f80c48e4
SHA1: af51a9fd2afa905f6f2fbd5524f020dd0ac2ef4d
SHA256:bda2b83acbe87010b2f83f782d12823bc1c337e318b77cbf26965407292e9049
Description:
Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/commons-io-1.3.2.jar
MD5: 903c04d1fb5d4dc81d95e4be93ff7ecd
SHA1: b6dde38349ba9bb5e6ea6320531eae969985dae5
SHA256:551c13e49dab32aebdb7a70ec9c2767372e58864ae115ef389582e548cffee38
Description:
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/commons-lang3-3.2.1.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/dnsns.jar
MD5: 1eba6d5b556726c89df7011e5aaf2fde
SHA1: e84272f3d7d4f6260eca93238a67f67d982c4c1a
SHA256:bb77da6338dada3a05aedb7dbb57dcfa3750d237149b20fceb1e5af952cfec70
License:
Apache 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/error_prone_annotations-2.2.0.jar
Description:
Contains
com.google.common.util.concurrent.internal.InternalFutureFailureAccess and
InternalFutures. Most users will never need to use this artifact. Its
classes is conceptually a part of Guava, but they're in this separate
artifact so that Android libraries can use them without pulling in all of
Guava (just as they can use ListenableFuture by depending on the
listenablefuture artifact).
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/failureaccess-1.0.1.jar
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/guava-27.0.1-android.jar
CVE-2020-8908 (OSSINDEX)
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/j2objc-annotations-1.1.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/jaccess.jar
MD5: b488ebcc7b90d48362dd0ff73df98e4a
SHA1: 699a7ac1b2845d9f61fa6a7523099f64bd062cab
SHA256:0f4035baa79e3c8d72cbe21473de172c1feb9481ddd4ed76bdc0c03b78e3596b
Description:
Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-annotations-2.9.10.jar
Description:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-core-2.9.10.jar
Description:
Jackson is a high-performance JSON processor (parser, generator)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-core-asl-1.9.2.jar
Description:
General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-databind-2.9.10.jar
CVE-2019-16942 (OSSINDEX)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-16943 (OSSINDEX)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-17531 (OSSINDEX)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-20330 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-10672 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-10673 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-10968 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-10969 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-11111 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-11112 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-11113 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-11619 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-11620 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-14060 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-14061 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-14062 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-14195 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-24616 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-24750 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-25649 (OSSINDEX)
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-35490 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-35491 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-35728 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36179 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36180 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36181 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36182 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36183 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36184 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36185 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36186 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36187 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36188 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-36189 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-8840 (OSSINDEX)
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-9546 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-9547 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2020-9548 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-20190 (OSSINDEX)
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
Support for reading and writing YAML-encoded data via Jackson abstractions.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-dataformat-yaml-2.9.10.jar
Description:
Jax-RS provider for JSON content type, based on Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-1.9.2.jar
Description:
Pile of code that is shared by all Jackson-based JAX-RS providers.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-base-2.9.10.jar
Description:
Functionality to handle JSON input/output for JAX-RS implementations (like Jersey and RESTeasy) using standard Jackson data binding.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-json-provider-2.9.10.jar
Description:
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-mapper-asl-1.9.2.jar
CVE-2017-15095 (OSSINDEX)
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-17485 (OSSINDEX)
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7525 (OSSINDEX)
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-1000873 (OSSINDEX)
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-14718 (OSSINDEX)
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-5968 (OSSINDEX)
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-7489 (OSSINDEX)
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-14540 (OSSINDEX)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-14893 (OSSINDEX)
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-16335 (OSSINDEX)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-17267 (OSSINDEX)
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
Support for using JAXB annotations as an alternative to "native" Jackson annotations, for configuring data-binding.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-module-jaxb-annotations-2.9.10.jar
Description:
Extensions that provide interoperability support for Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-xc-1.9.2.jar
Description:
Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
simple. It is a class library for editing bytecodes in Java.
License:
MPL 1.1: http://www.mozilla.org/MPL/MPL-1.1.html LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html Apache License 2.0: http://www.apache.org/licenses/File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/javassist-3.21.0-GA.jar
Description:
JAXB (JSR 222) API
License:
CDDL 1.0: https://glassfish.dev.java.net/public/CDDL+GPL.html GPL2 w/ CPE: https://glassfish.dev.java.net/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jaxb-api-2.2.2.jar
Description:
JAXB (JSR 222) reference implementation
License:
CDDL 1.1: https://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jaxb-impl-2.2.3-1.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/jce.jar
MD5: b233cb28ac93d59b7fa35d58995b4376
SHA1: 45e38210b8c85d0383b38cd2f2657ef1b57648a7
SHA256:1b38fc441bfa7a416830f9f7654a6f56980aaaf20b9bc4d481063869189bfba8
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-core-1.13.jar
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-json-1.13.jar
Description:
Projects that provide additional functionality to jersey, like integration with other projects/frameworks.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-multipart-1.13.jar
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-server-1.13.jar
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-servlet-1.13.jar
Description:
A StAX implementation for JSON.
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jettison-1.1.jar
MD5: fc80e0aabd516c54739262c3d618303a
SHA1: 1a01a2a1218fcf9faa2cc2a6ced025bdea687262
SHA256:377940288b0643c48780137f6f68578937e1ea5ca2b73830a820c50a7b7ed801
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar
MD5: b664fe75238cb4f2b27d86eb14e4c68c
SHA1: c613c860720f2e526fdc6fd2fece7ebf73e4b382
SHA256:ee2257bc2e6b8154580dc9e396663df16c5fa3cbb74b16518e14b00aca130808
Description:
Common Annotations for the JavaTM Platform API
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/javax.annotation/javax.annotation-api/pom.xml
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/javax.servlet.jsp/javax.servlet.jsp-api/pom.xml
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/javax.servlet/javax.servlet-api/pom.xml
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.toolchain/jetty-schemas/pom.xml
MD5: 95e337b6b65c475e35426b1abc92e280
SHA1: 0f87883ed660933cac15c852a9aba3fd91ca5598
SHA256:e5679dcc8bb56b94d7223368d290f49f338f1f02eccb2972bbef55b16bea6456
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-api/pom.xml
MD5: 4030ac43289238dc2e983d5563850db3
SHA1: 8d5ea296bff426e4cf2e7f904f4e623a3c1da118
SHA256:6d6e5a70347722433f3998b6137278ad0752509f05808e49101ba22ae4cbe38b
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-client/pom.xml
MD5: 3f57d72aba8ee11a27de55213171d1f4
SHA1: 7e3c8d84814eb57e7db6aab1cd2c9c64b7f2e1b2
SHA256:17e86c5a8c3a4a3aaed3a0566c44b4e51f105734b5343577df4321482048ba03
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-common/pom.xml
MD5: 478036a6a830eaf84ae301d1ec82efae
SHA1: 9fc082ea6adeaa752100d9cb87354bb538016273
SHA256:006056fb249cde89ab7d739f2104997c617a7b30f6657ca10fa65d26dcac92f6
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-server/pom.xml
MD5: 5a8d1ad2be29ae06272fc46ae72f5132
SHA1: 07b75086a59b5cf656d88a647b7eaaa431d1d042
SHA256:2296f386e535f440a8c388663dafbf913b2652fc578022b57ded44891fac352e
CVE-2017-7656 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7657 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7658 (OSSINDEX)
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-9735 (OSSINDEX)
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-12536 (OSSINDEX)
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10241 (OSSINDEX)
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10247 (OSSINDEX)
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-28165 (OSSINDEX)
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-28169 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-34428 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-servlet/pom.xml
MD5: a8b1e1a7382115c0af8cdf30ba95645b
SHA1: 1bf770fb4c79b1e8ccf93085a4cdfde6d31d3dfd
SHA256:bc94a505e5bf37ebadee6ba85dfdf01e3355a408f1133c8e0ca4bfbf09e3e891
Description:
Annotation support for deploying servlets in jetty.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-annotations/pom.xml
MD5: 667b7d770753508e7e02a3d35a6b76ad
SHA1: e08057d4cd3649b81caec09f1a92292e5b21a8ec
SHA256:157b6497e5543af12eb5ff1817b7638d4432a6d764d3adb8e763b4c12f540866
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: 2ec1053164f601a110f451089cfa58bb
SHA1: d3d757e0e8625e8804ecdd9e6d52fbfb95c31c80
SHA256:ca466abf19e2e35a2e878b9b63faf89eaffb73bee6c97d1c7e4f60aeadd22d30
CVE-2017-7656 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7657 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7658 (OSSINDEX)
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-9735 (OSSINDEX)
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-12536 (OSSINDEX)
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10241 (OSSINDEX)
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10247 (OSSINDEX)
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-28169 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-34428 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: e0b67eb63f3feaf0e4348910e812ea91
SHA1: 64d4d058329620deb1744296276dd8dd4a416bac
SHA256:eee2f9e4de5972a61879411d8d93266afa7dc8528bff5e3a0fcdc8f2ea8108fd
Description:
Jetty JAAS support
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jaas/pom.xml
MD5: 6b8cbb4809c2b2e03616b8bc8455283c
SHA1: b72397789f0979cf0c22d09888d7a407369d35da
SHA256:cef1af6045c3bfb2491555e3fd9dc55ee9c2893e019952da64ad09605c3a3ddf
Description:
JNDI spi impl for java namespace.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jndi/pom.xml
MD5: 1399e2e1bbc32a197f5dfdf72dc1923a
SHA1: a86ccccc24fb40e36607ca6cfb0e644350216ee2
SHA256:bbb9c1163f9553cddd4ff456cb8b2936010768d689e1d44f34a34843d60cbfa1
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jsp/pom.xml
MD5: 2958b5c261e4d3dda935ca34fe3599c2
SHA1: a42133eb9985659dc1ce5cb2e9b07ef389adb72b
SHA256:0064b454084f7ce3be4129ee3fd8de232e886dca8d3a80950632f3bae2cf03bb
Description:
Jetty JavaEE style services
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
MD5: e59906d83cbddfb6c79a75cbc0b79bbd
SHA1: fadef3109fca007c79147f17bf5ffbb15bbd5f3b
SHA256:99317767ee2b8bd8833323721235d6163e38f3a18c52a394f22b5c26f5f33d49
CVE-2017-7656 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7657 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7658 (OSSINDEX)
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-9735 (OSSINDEX)
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-12536 (OSSINDEX)
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10241 (OSSINDEX)
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10247 (OSSINDEX)
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-28169 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-34428 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
Jetty security infrastructure
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: d5b16c990e2b1295f006d33c61baf65b
SHA1: e7f6e826eceff59d70f23d787d8c45e55d8b18de
SHA256:895841806d9f0dcfb64de5d219767cd8f9dbe01b4a839ce153a80b01278ca50d
Description:
The core jetty server artifact.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: e0789e8ba0e1b42ab63089574ab58741
SHA1: 61318575d3f342c87df515882ec781eb5de42ee5
SHA256:300833380d92c358c04204f949f85aaa13723ec4ff58d5daba9dcd4280878799
CVE-2017-7656 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7657 (OSSINDEX)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-7658 (OSSINDEX)
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2017-9735 (OSSINDEX)
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2018-12536 (OSSINDEX)
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10241 (OSSINDEX)
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2019-10247 (OSSINDEX)
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-28169 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
CVE-2021-34428 (OSSINDEX)
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
Jetty Servlet Container
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: c45f63d8cd0d366f06eb6d9591019c57
SHA1: 9f27d15c3d23f140edc1c516908f74aa070ae0ee
SHA256:8dd9816436f42ca25260b8c58e608f828ef14658f650a016ab2d1171269a63e3
Description:
Utility classes for Jetty
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: 521aeb04e83fa456d308fca3acea7f3a
SHA1: af58c0badd08b471ddc8a49c405b523f226acf73
SHA256:6617fe358c18d1ebdb36177054b9a375f32be2db99a664ed9dfdcd276750c638
Description:
Jetty web application support
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-webapp/pom.xml
MD5: 9acc3eddcace28d6f4a4ad56152135cd
SHA1: 0d5faf195c021a7ce5c724188ac5abd962d5bc3e
SHA256:6c73618fbbc64531c929065eab98e946e5f4f5977d710f5e2b30d2035fbf064f
Description:
The jetty xml utilities.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-xml/pom.xml
MD5: 564db350302dc1d9847118a87604b0e3
SHA1: 601b5c88c2f0f119e06c7090d50fa8a119e1e804
SHA256:993ed9ed47de90ec29543f3bcba7f737ba29a29168b4841e9a71f3079a8ae8e2
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.glassfish.web/javax.servlet.jsp.jstl/pom.xml
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.glassfish.web/javax.servlet.jsp/pom.xml
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.glassfish/javax.el/pom.xml
Description:
JSR305 Annotations for Findbugs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jsr305-3.0.2.jar
License:
CDDL License
: http://www.opensource.org/licenses/cddl1.phpFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jsr311-api-1.1.1.jarFile Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/jsse.jar
MD5: 30a1b95d07047a5d5ed5e59e7278042c
SHA1: ae513f69de55fe94bd7bccd0e67500f9ac9565c1
SHA256:c149dc78a45ab428dab77524b3582547650cc63c6b8ad17d1be06cca9aa7d775
Description:
An empty artifact that Guava depends on to signal that it is providing
ListenableFuture -- but is also available in a second "version" that
contains com.google.common.util.concurrent.ListenableFuture class, without
any other Guava classes. The idea is:
- If users want only ListenableFuture, they depend on listenablefuture-1.0.
- If users want all of Guava, they depend on guava, which, as of Guava
27.0, depends on
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-...
version number is enough for some build systems (notably, Gradle) to select
that empty artifact over the "real" listenablefuture-1.0 -- avoiding a
conflict with the copy of ListenableFuture in guava itself. If users are
using an older version of Guava or a build system other than Gradle, they
may see class conflicts. If so, they can solve them by manually excluding
the listenablefuture artifact or manually forcing their build systems to
use 9999.0-....
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
MD5: d094c22570d65e132c19cea5d352e381
SHA1: b421526c5f297295adef1c886e5246c39d4ac629
SHA256:b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/security/policy/limited/local_policy.jar
MD5: aa0b0a8034cebe483861e48f1942b3cb
SHA1: 5dd851f6e0e60bbadc94107050c6d17e5d2d30f5
SHA256:516c2063e7aaac0afafc9c6610d91f43f14a2e7d019bd5d3ae9d532f68d6372a
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/security/policy/unlimited/local_policy.jar
MD5: 197f10571bfd51cbf4a6f8355b2e387a
SHA1: c1ba54088b99e7f628081814720f24d9b836405b
SHA256:5e1233ef7de2ca4a8e1035bb0b4e9b8f7aab0242138bfd6f5abaf8c4aa999da8
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/localedata.jar
MD5: 09fc2f233c564fd6fa03eb20a2e7959f
SHA1: 15f695b0efd4571f5d21d9eea7bc1f834ec26fa9
SHA256:7fcbdf0108c055a4347e14687cb46e89d6ba27d47960c5920c26abfa73f43442
Description:
Logback: the reliable, generic, fast and flexible logging library for Java.
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html GNU Lesser General Public License: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/logback-classic-1.0.1.jar
CVE-2017-5929 (OSSINDEX)
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
Logback: the generic, reliable, fast and flexible logging library for Java.
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html GNU Lesser General Public License: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/logback-core-1.0.1.jar
CVE-2017-5929 (OSSINDEX)
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/management-agent.jar
MD5: d1e9b1d4a3c62f0742ae8d0a195b778e
SHA1: 6dff5c0f8b374ce981b9b8ed9b34d8102cc2d4d6
SHA256:14912406e5defd61b9315713824f731c49477ffa16e7a4067bb637a430cae761
Description:
Provides a streaming API to access attachments parts in a MIME message.
License:
Dual license consisting of the CDDL v1.1 and GPL v2
: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/mimepull-1.6.jarFile Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/nashorn.jar
MD5: abc97d27d6d43f4760eed163c035d312
SHA1: 4ffbc5b9f8f7d51d8b6a303c70230d274aba7520
SHA256:cfd22a6c1d89a3b2595057803f7f79933d7b89918dd2151d1d188b572a1dbb57
Description:
Reflections - a Java runtime metadata analysis
License:
WTFPL: http://www.wtfpl.net/ The New BSD License: http://www.opensource.org/licenses/bsd-license.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/reflections-0.9.11.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/resources.jar
MD5: 3d6a5da6915207869ace623ea14f63d8
SHA1: abd77ffe73245f9d1eed4c0766991813a5024516
SHA256:4a9d57f650734040b8d8df137df0b088c4a6908a90cdaca090cc5e2f34b4b3f5
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/rt.jar
MD5: 3661e69c0a67b28ef11ff47ad6319290
SHA1: eb641fa3e2ac49651e13cbee18c573c41a5f415f
SHA256:0d2b2fedfe10248461c7295ec96bd97720d42b376a7aa12508753af0a6549d16
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/servlet-api-2.5.jar
MD5: 69ca51af4e9a67a1027a7f95b52c3e8f
SHA1: 5959582d97d8b61f4d154ca9e495aafd16726e34
SHA256:c658ea360a70faeeadb66fb3c90a702e4142a0ab7768f9ae9828678e0d9ad4dc
Description:
The slf4j API
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/slf4j-api-1.6.4.jar
MD5: 75e1a2a3b84c59bf9d4f42de57a533b1
SHA1: 2396d74b12b905f780ed7966738bb78438e8371a
SHA256:367b909030f714ee1176ab096b681e06348f03385e98d1bce0ed801b5452357e
Description:
YAML 1.1 parser and emitter for Java
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/snakeyaml-1.23.jar
CVE-2017-18640 (OSSINDEX)
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.CVSSv3:
Vulnerable Software & Versions (OSSINDEX):
Description:
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/stax-api-1.0-2.jar
Description:
StAX API is the standard java XML processing API defined by JSR-173
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/stax-api-1.0.1.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunec.jar
MD5: cc8f945599ae371bfb2f565ffdc3e846
SHA1: a028af7b0e74ac0b576d95d4c06e056fe5c5e5c2
SHA256:6688c4649146d050b949f4f6d61f887de60f59ae81b8fa67c55acc0a50371a7b
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunjce_provider.jar
MD5: bc2bcc31dec7bdff87cb54a85a7be162
SHA1: 004362ac24543b3fff2c66dde1fad7a88079676a
SHA256:0b4f50e2b04ba80667fd399ef0155c9349c74878726955d14a82fe1ab005757f
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunpkcs11.jar
MD5: 1e0a27ef4adf59d360f3370d070bbeb0
SHA1: 4a4e9c2c139bd4b1119b5fca16f2dbb4f5bd935e
SHA256:ae78f6fcc6102490f380bcbb513ef2a728b2b5444e7d3aea8089b33b70fda44e
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-annotations-1.5.24.jar
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-core-1.5.24.jar
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-jaxrs-1.5.24.jar
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-jersey-jaxrs-1.5.24.jar
MD5: af9d6ebb9bc8179ea935ebd4c462edb2
SHA1: abef4190ecbd883c43c05b6722948229c1e25d38
SHA256:756c6ae9271e5a66fd58a9044fee7b17b12568a55c649e917e2b4ebc9050c647
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-models-1.5.24.jar
Description:
Bean Validation API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/validation-api-1.1.0.Final.jar
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/zipfs.jar
MD5: 03bf6e029ce5e39179291918f69d71da
SHA1: bfd6c508181a65c8db8ec331fde2784b8e239bfc
SHA256:125b2ab210d3e90d11c5e06b32cfa1fd1b1fe7c6768aa88f4202edaaebfd0287
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/asm-3.1.jar
MD5: b9b8d2d556f9458aac8c463fd511f86d
SHA1: c157def142714c544bdea2e6144645702adf7097
SHA256: 333ff5369043975b7e031b8b27206937441854738e038c1f47f98d072a20437a
CVE-2007-0156 suppressed
M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb.NVD-CWE-Other
Vulnerable Software & Versions:
Description:
Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/commons-io-1.3.2.jar
MD5: 903c04d1fb5d4dc81d95e4be93ff7ecd
SHA1: b6dde38349ba9bb5e6ea6320531eae969985dae5
SHA256: 551c13e49dab32aebdb7a70ec9c2767372e58864ae115ef389582e548cffee38
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/guava-27.0.1-android.jar
CVE-2020-8908 suppressed
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.CWE-732 Incorrect Permission Assignment for Critical Resource
Vulnerable Software & Versions: (show all)
Description:
Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-annotations-2.9.10.jar
Description:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-core-2.9.10.jar
Description:
General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-databind-2.9.10.jar
CVE-2019-16942 suppressed
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2019-16943 suppressed
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2019-17531 suppressed
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2019-20330 suppressed
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-10672 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2020-10673 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2020-10968 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-10969 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-11111 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-11112 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-11113 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-11619 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-11620 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-14060 suppressed
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-14061 suppressed
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-14062 suppressed
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-14195 suppressed
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-24616 suppressed
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).CWE-94 Improper Control of Generation of Code ('Code Injection')
Vulnerable Software & Versions: (show all)
CVE-2020-24750 suppressed
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-25649 suppressed
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Vulnerable Software & Versions: (show all)
CVE-2020-35490 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-35491 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-35728 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36179 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36180 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36181 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36182 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36183 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36184 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36185 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36186 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36187 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36188 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-36189 suppressed
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-8840 suppressed
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-9546 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-9547 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2020-9548 suppressed
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
CVE-2021-20190 suppressed
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
Description:
Support for reading and writing YAML-encoded data via Jackson abstractions.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-dataformat-yaml-2.9.10.jar
Description:
Jax-RS provider for JSON content type, based on Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-jaxrs-1.9.2.jar
CVE-2018-7489 suppressed
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
Vulnerable Software & Versions: (show all)
Description:
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-mapper-asl-1.9.2.jar
CVE-2019-10172 suppressed
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Vulnerable Software & Versions: (show all)
Description:
Extensions that provide interoperability support for Jackson JSON processor's data binding functionality.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt GNU Lesser General Public License (LGPL), Version 2.1: http://www.fsf.org/licensing/licenses/lgpl.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jackson-xc-1.9.2.jar
CVE-2018-7489 suppressed
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
Vulnerable Software & Versions: (show all)
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-core-1.13.jar
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-json-1.13.jar
Description:
Projects that provide additional functionality to jersey, like integration with other projects/frameworks.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-multipart-1.13.jar
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-server-1.13.jar
Description:
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
License:
http://glassfish.java.net/public/CDDL+GPL_1_1.html, http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/jersey-servlet-1.13.jar
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar
MD5: b664fe75238cb4f2b27d86eb14e4c68c
SHA1: c613c860720f2e526fdc6fd2fece7ebf73e4b382
SHA256: ee2257bc2e6b8154580dc9e396663df16c5fa3cbb74b16518e14b00aca130808
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-client/pom.xml
MD5: 3f57d72aba8ee11a27de55213171d1f4
SHA1: 7e3c8d84814eb57e7db6aab1cd2c9c64b7f2e1b2
SHA256: 17e86c5a8c3a4a3aaed3a0566c44b4e51f105734b5343577df4321482048ba03
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-common/pom.xml
MD5: 478036a6a830eaf84ae301d1ec82efae
SHA1: 9fc082ea6adeaa752100d9cb87354bb538016273
SHA256: 006056fb249cde89ab7d739f2104997c617a7b30f6657ca10fa65d26dcac92f6
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-server/pom.xml
MD5: 5a8d1ad2be29ae06272fc46ae72f5132
SHA1: 07b75086a59b5cf656d88a647b7eaaa431d1d042
SHA256: 2296f386e535f440a8c388663dafbf913b2652fc578022b57ded44891fac352e
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty.websocket/websocket-servlet/pom.xml
MD5: a8b1e1a7382115c0af8cdf30ba95645b
SHA1: 1bf770fb4c79b1e8ccf93085a4cdfde6d31d3dfd
SHA256: bc94a505e5bf37ebadee6ba85dfdf01e3355a408f1133c8e0ca4bfbf09e3e891
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
Annotation support for deploying servlets in jetty.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-annotations/pom.xml
MD5: 667b7d770753508e7e02a3d35a6b76ad
SHA1: e08057d4cd3649b81caec09f1a92292e5b21a8ec
SHA256: 157b6497e5543af12eb5ff1817b7638d4432a6d764d3adb8e763b4c12f540866
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-http/pom.xml
MD5: 2ec1053164f601a110f451089cfa58bb
SHA1: d3d757e0e8625e8804ecdd9e6d52fbfb95c31c80
SHA256: ca466abf19e2e35a2e878b9b63faf89eaffb73bee6c97d1c7e4f60aeadd22d30
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-io/pom.xml
MD5: e0b67eb63f3feaf0e4348910e812ea91
SHA1: 64d4d058329620deb1744296276dd8dd4a416bac
SHA256: eee2f9e4de5972a61879411d8d93266afa7dc8528bff5e3a0fcdc8f2ea8108fd
CVE-2021-28165 (OSSINDEX) suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.Notes: file names: jetty-http-9.4.37.v20210219.jar + jetty-server-9.4.37.v20210219.jar CVE description: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. Our services are not affected because they only use HTTP within the cluster for communication.
Vulnerable Software & Versions (OSSINDEX):
Description:
Jetty JAAS support
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jaas/pom.xml
MD5: 6b8cbb4809c2b2e03616b8bc8455283c
SHA1: b72397789f0979cf0c22d09888d7a407369d35da
SHA256: cef1af6045c3bfb2491555e3fd9dc55ee9c2893e019952da64ad09605c3a3ddf
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
JNDI spi impl for java namespace.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jndi/pom.xml
MD5: 1399e2e1bbc32a197f5dfdf72dc1923a
SHA1: a86ccccc24fb40e36607ca6cfb0e644350216ee2
SHA256: bbb9c1163f9553cddd4ff456cb8b2936010768d689e1d44f34a34843d60cbfa1
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-jsp/pom.xml
MD5: 2958b5c261e4d3dda935ca34fe3599c2
SHA1: a42133eb9985659dc1ce5cb2e9b07ef389adb72b
SHA256: 0064b454084f7ce3be4129ee3fd8de232e886dca8d3a80950632f3bae2cf03bb
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
Jetty JavaEE style services
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-plus/pom.xml
MD5: e59906d83cbddfb6c79a75cbc0b79bbd
SHA1: fadef3109fca007c79147f17bf5ffbb15bbd5f3b
SHA256: 99317767ee2b8bd8833323721235d6163e38f3a18c52a394f22b5c26f5f33d49
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
Jetty security infrastructure
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-security/pom.xml
MD5: d5b16c990e2b1295f006d33c61baf65b
SHA1: e7f6e826eceff59d70f23d787d8c45e55d8b18de
SHA256: 895841806d9f0dcfb64de5d219767cd8f9dbe01b4a839ce153a80b01278ca50d
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
The core jetty server artifact.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-server/pom.xml
MD5: e0789e8ba0e1b42ab63089574ab58741
SHA1: 61318575d3f342c87df515882ec781eb5de42ee5
SHA256: 300833380d92c358c04204f949f85aaa13723ec4ff58d5daba9dcd4280878799
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
Jetty Servlet Container
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-servlet/pom.xml
MD5: c45f63d8cd0d366f06eb6d9591019c57
SHA1: 9f27d15c3d23f140edc1c516908f74aa070ae0ee
SHA256: 8dd9816436f42ca25260b8c58e608f828ef14658f650a016ab2d1171269a63e3
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
Utility classes for Jetty
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-util/pom.xml
MD5: 521aeb04e83fa456d308fca3acea7f3a
SHA1: af58c0badd08b471ddc8a49c405b523f226acf73
SHA256: 6617fe358c18d1ebdb36177054b9a375f32be2db99a664ed9dfdcd276750c638
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
Jetty web application support
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-webapp/pom.xml
MD5: 9acc3eddcace28d6f4a4ad56152135cd
SHA1: 0d5faf195c021a7ce5c724188ac5abd962d5bc3e
SHA256: 6c73618fbbc64531c929065eab98e946e5f4f5977d710f5e2b30d2035fbf064f
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
Description:
The jetty xml utilities.
File Path: /tmp/image-unpacked/petstore/jetty-runner.jar/META-INF/maven/org.eclipse.jetty/jetty-xml/pom.xml
MD5: 564db350302dc1d9847118a87604b0e3
SHA1: 601b5c88c2f0f119e06c7090d50fa8a119e1e804
SHA256: 993ed9ed47de90ec29543f3bcba7f737ba29a29168b4841e9a71f3079a8ae8e2
CVE-2017-7656 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2017-7657 suppressed
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'), CWE-190 Integer Overflow or Wraparound
Vulnerable Software & Versions: (show all)
CVE-2017-7658 suppressed
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Vulnerable Software & Versions: (show all)
CVE-2018-12536 suppressed
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.NVD-CWE-noinfo
Vulnerable Software & Versions: (show all)
CVE-2019-10241 suppressed
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vulnerable Software & Versions: (show all)
CVE-2019-10247 suppressed
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2020-27216 suppressed
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.NVD-CWE-Other
Vulnerable Software & Versions: (show all)
CVE-2021-28165 suppressed
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Vulnerable Software & Versions: (show all)
CVE-2021-28169 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.CWE-200 Information Exposure
Vulnerable Software & Versions: (show all)
CVE-2021-34428 suppressed
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.CWE-613 Insufficient Session Expiration
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/jsse.jar
MD5: 30a1b95d07047a5d5ed5e59e7278042c
SHA1: ae513f69de55fe94bd7bccd0e67500f9ac9565c1
SHA256: c149dc78a45ab428dab77524b3582547650cc63c6b8ad17d1be06cca9aa7d775
Description:
Logback: the reliable, generic, fast and flexible logging library for Java.
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html GNU Lesser General Public License: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/logback-classic-1.0.1.jar
CVE-2017-5929 suppressed
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
Description:
Logback: the generic, reliable, fast and flexible logging library for Java.
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html GNU Lesser General Public License: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.htmlFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/logback-core-1.0.1.jar
CVE-2017-5929 suppressed
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.CWE-502 Deserialization of Untrusted Data
Vulnerable Software & Versions: (show all)
Description:
YAML 1.1 parser and emitter for Java
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/snakeyaml-1.23.jar
CVE-2017-18640 suppressed
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Vulnerable Software & Versions: (show all)
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunec.jar
MD5: cc8f945599ae371bfb2f565ffdc3e846
SHA1: a028af7b0e74ac0b576d95d4c06e056fe5c5e5c2
SHA256: 6688c4649146d050b949f4f6d61f887de60f59ae81b8fa67c55acc0a50371a7b
File Path: /tmp/image-unpacked/usr/local/openjdk-8/lib/ext/sunpkcs11.jar
MD5: 1e0a27ef4adf59d360f3370d070bbeb0
SHA1: 4a4e9c2c139bd4b1119b5fca16f2dbb4f5bd935e
SHA256: ae78f6fcc6102490f380bcbb513ef2a728b2b5444e7d3aea8089b33b70fda44e
File Path: /tmp/image-unpacked/petstore/webapp/WEB-INF/lib/swagger-jersey-jaxrs-1.5.24.jar
MD5: af9d6ebb9bc8179ea935ebd4c462edb2
SHA1: abef4190ecbd883c43c05b6722948229c1e25d38
SHA256: 756c6ae9271e5a66fd58a9044fee7b17b12568a55c649e917e2b4ebc9050c647